<Vulnerability name="CVE-2026-55180">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-25T17:00:35</PublicDate>
    <Bugzilla id="2493031" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493031" xml:lang="en:us">
pnpm: pacquet: pnpm and pacquet: Information disclosure of environment secrets via improper environment variable expansion
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-15</CWE>
    <Details xml:lang="en:us" source="Mitre">
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in pnpm and pacquet. A malicious repository could exploit this vulnerability by crafting specific .npmrc or pnpm-workspace.yaml files. When these package managers process these files, they improperly expand environment variable placeholders, leading to the disclosure of sensitive victim environment secrets to an attacker-controlled registry. This could result in unauthorized access to confidential information.
    </Details>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>pnpm</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55180
https://nvd.nist.gov/vuln/detail/CVE-2026-55180
https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r
    </References>
</Vulnerability>